From 02e99277146d8bd912f2f19af1d3e94a6181d90d Mon Sep 17 00:00:00 2001
From: alecdwm
Date: Tue, 13 Dec 2016 22:31:35 +0100
Subject: Initial support for LDAP server authentication

Limitations as of this commit:

- tlsOptions can only be specified in config.json, not as env vars
- authentication failures are not yet gracefully handled by the UI
  - instead the error message is shown on a blank page (/auth/ldap)
- no email address is associated with the LDAP user's account
- no picture/profile URL is associated with the LDAP user's account
- we might have to generate our own access + refresh tokens,
  because we aren't using oauth. The currently generated
  tokens are just a placeholder.
- 'LDAP Sign in' needs to be translated to each locale
---
 lib/auth.js     | 33 ++++++++++++++++++++++++++++++++-
 lib/config.js   | 26 ++++++++++++++++++++++++++
 lib/response.js |  2 ++
 3 files changed, 60 insertions(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/auth.js b/lib/auth.js
index f167cede..1e21eb9f 100644
--- a/lib/auth.js
+++ b/lib/auth.js
@@ -7,6 +7,7 @@ var GithubStrategy = require('passport-github').Strategy;
 var GitlabStrategy = require('passport-gitlab2').Strategy;
 var DropboxStrategy = require('passport-dropbox-oauth2').Strategy;
 var GoogleStrategy = require('passport-google-oauth20').Strategy;
+var LdapStrategy = require('passport-ldapauth');
 var LocalStrategy = require('passport-local').Strategy;
 var validator = require('validator');
 
@@ -110,6 +111,36 @@ if (config.google) {
         callbackURL: config.serverurl + '/auth/google/callback'
     }, callback));
 }
+// ldap
+if (config.ldap) {
+    passport.use(new LdapStrategy({
+        server: {
+            url: config.ldap.url || null,
+            bindDn: config.ldap.bindDn || null,
+            bindCredentials: config.ldap.bindCredentials || null,
+            searchBase: config.ldap.searchBase || null,
+            searchFilter: config.ldap.searchFilter || null,
+            searchAttributes: config.ldap.searchAttributes || null,
+            tlsOptions: config.ldap.tlsOptions || null
+        },
+    },
+    function(user, done) {
+        var profile = {
+            id: 'LDAP-' + user.uidNumber,
+            username: user.uid,
+            displayName: user.displayName,
+            emails: [],
+            avatarUrl: null,
+            profileUrl: null,
+            provider: 'ldap',
+        }
+        var stringifiedProfile = JSON.stringify(profile);
+        // TODO: Generate secure tokens for LDAP users
+        var accessToken = 'debug-access-token|LDAP-' + user.uidNumber + '|' + config.ldap.tokenSecret + '|' + new Date().getTime();
+        var refreshToken = 'debug-refresh-token|LDAP-' + user.uidNumber + '|' + config.ldap.tokenSecret + '|' + new Date().getTime();
+        callback(accessToken, refreshToken, profile, done);
+    }));
+}
 // email
 if (config.email) {
     passport.use(new LocalStrategy({
@@ -130,4 +161,4 @@ if (config.email) {
             return done(err);
         });
     }));
-}
\ No newline at end of file
+}
diff --git a/lib/config.js b/lib/config.js
index 669fcaa8..a44c279b 100644
--- a/lib/config.js
+++ b/lib/config.js
@@ -93,6 +93,31 @@ var google = (process.env.HMD_GOOGLE_CLIENTID && process.env.HMD_GOOGLE_CLIENTSE
     clientID: process.env.HMD_GOOGLE_CLIENTID,
     clientSecret: process.env.HMD_GOOGLE_CLIENTSECRET
 } : config.google || false;
+var ldap = config.ldap || (
+    process.env.HMD_LDAP_URL ||
+    process.env.HMD_LDAP_BINDDN ||
+    process.env.HMD_LDAP_BINDCREDENTIALS ||
+    process.env.HMD_LDAP_TOKENSECRET ||
+    process.env.HMD_LDAP_SEARCHBASE ||
+    process.env.HMD_LDAP_SEARCHFILTER ||
+    process.env.HMD_LDAP_SEARCHATTRIBUTES
+) || false;
+if (ldap == true)
+    ldap = {};
+if (process.env.HMD_LDAP_URL)
+    ldap.url = process.env.HMD_LDAP_URL;
+if (process.env.HMD_LDAP_BINDDN)
+    ldap.bindDn = process.env.HMD_LDAP_BINDDN;
+if (process.env.HMD_LDAP_BINDCREDENTIALS)
+    ldap.bindCredentials = process.env.HMD_LDAP_BINDCREDENTIALS;
+if (process.env.HMD_LDAP_TOKENSECRET)
+    ldap.tokenSecret = process.env.HMD_LDAP_TOKENSECRET;
+if (process.env.HMD_LDAP_SEARCHBASE)
+    ldap.searchBase = process.env.HMD_LDAP_SEARCHBASE;
+if (process.env.HMD_LDAP_SEARCHFILTER)
+    ldap.searchFilter = process.env.HMD_LDAP_SEARCHFILTER;
+if (process.env.HMD_LDAP_SEARCHATTRIBUTES)
+    ldap.searchAttributes = process.env.HMD_LDAP_SEARCHATTRIBUTES;
 var imgur = process.env.HMD_IMGUR_CLIENTID || config.imgur || false;
 var email = process.env.HMD_EMAIL || config.email || false;
 
@@ -151,6 +176,7 @@ module.exports = {
     gitlab: gitlab,
     dropbox: dropbox,
     google: google,
+    ldap: ldap,
     imgur: imgur,
     email: email,
     imageUploadType: imageUploadType,
diff --git a/lib/response.js b/lib/response.js
index aae39851..f0f49181 100755
--- a/lib/response.js
+++ b/lib/response.js
@@ -66,6 +66,7 @@ function showIndex(req, res, next) {
         gitlab: config.gitlab,
         dropbox: config.dropbox,
         google: config.google,
+        ldap: config.ldap,
         email: config.email,
         signin: req.isAuthenticated(),
         infoMessage: req.flash('info'),
@@ -98,6 +99,7 @@ function responseHackMD(res, note) {
         gitlab: config.gitlab,
         dropbox: config.dropbox,
         google: config.google,
+        ldap: config.ldap,
         email: config.email
     });
 }
-- 
cgit v1.2.3


From 6ba9a2f039fe9c4d7495d30ae4f255b96d7f7530 Mon Sep 17 00:00:00 2001
From: alecdwm
Date: Wed, 14 Dec 2016 11:49:33 +0100
Subject: Added HMD_LDAP_TLS_CA env variable

---
 lib/config.js | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'lib')

diff --git a/lib/config.js b/lib/config.js
index a44c279b..053d083b 100644
--- a/lib/config.js
+++ b/lib/config.js
@@ -118,6 +118,12 @@ if (process.env.HMD_LDAP_SEARCHFILTER)
     ldap.searchFilter = process.env.HMD_LDAP_SEARCHFILTER;
 if (process.env.HMD_LDAP_SEARCHATTRIBUTES)
     ldap.searchAttributes = process.env.HMD_LDAP_SEARCHATTRIBUTES;
+if (process.env.HMD_LDAP_TLS_CA) {
+    var ca = {
+        ca: process.env.HMD_LDAP_TLS_CA
+    }
+    ldap.tlsOptions = ldap.tlsOptions ? Object.assign(ldap.tlsOptions, ca) : ca
+}
 var imgur = process.env.HMD_IMGUR_CLIENTID || config.imgur || false;
 var email = process.env.HMD_EMAIL || config.email || false;
 
-- 
cgit v1.2.3


From 30071637998097b25a36b69af3a1affe3c18bf23 Mon Sep 17 00:00:00 2001
From: alecdwm
Date: Wed, 14 Dec 2016 11:50:10 +0100
Subject: Tokens not required for ldap auth

---
 lib/auth.js | 34 ++++++++++++++++++++++++++++++----
 1 file changed, 30 insertions(+), 4 deletions(-)

(limited to 'lib')

diff --git a/lib/auth.js b/lib/auth.js
index 1e21eb9f..b2c787b9 100644
--- a/lib/auth.js
+++ b/lib/auth.js
@@ -135,10 +135,36 @@ if (config.ldap) {
             provider: 'ldap',
         }
         var stringifiedProfile = JSON.stringify(profile);
-        // TODO: Generate secure tokens for LDAP users
-        var accessToken = 'debug-access-token|LDAP-' + user.uidNumber + '|' + config.ldap.tokenSecret + '|' + new Date().getTime();
-        var refreshToken = 'debug-refresh-token|LDAP-' + user.uidNumber + '|' + config.ldap.tokenSecret + '|' + new Date().getTime();
-        callback(accessToken, refreshToken, profile, done);
+        models.User.findOrCreate({
+            where: {
+                profileid: profile.id.toString()
+            },
+            defaults: {
+                profile: stringifiedProfile,
+            }
+        }).spread(function (user, created) {
+            if (user) {
+                var needSave = false;
+                if (user.profile != stringifiedProfile) {
+                    user.profile = stringifiedProfile;
+                    needSave = true;
+                }
+                if (needSave) {
+                    user.save().then(function () {
+                        if (config.debug)
+                            logger.info('user login: ' + user.id);
+                        return done(null, user);
+                    });
+                } else {
+                    if (config.debug)
+                        logger.info('user login: ' + user.id);
+                    return done(null, user);
+                }
+            }
+        }).catch(function (err) {
+            logger.error('ldap auth failed: ' + err);
+            return done(err, null);
+        });
     }));
 }
 // email
-- 
cgit v1.2.3


From 3491f97f7e18a811e516431fa55429f015cef8c4 Mon Sep 17 00:00:00 2001
From: alecdwm
Date: Wed, 14 Dec 2016 13:24:25 +0100
Subject: LDAP auth use email if provided

---
 lib/auth.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/auth.js b/lib/auth.js
index b2c787b9..4b14e42c 100644
--- a/lib/auth.js
+++ b/lib/auth.js
@@ -129,7 +129,7 @@ if (config.ldap) {
             id: 'LDAP-' + user.uidNumber,
             username: user.uid,
             displayName: user.displayName,
-            emails: [],
+            emails: user.mail ? [user.mail] : [],
             avatarUrl: null,
             profileUrl: null,
             provider: 'ldap',
-- 
cgit v1.2.3


From 01361afa7a739f05493ca4a718d6ce5ffe728bc4 Mon Sep 17 00:00:00 2001
From: alecdwm
Date: Fri, 6 Jan 2017 05:37:40 +0100
Subject: Profile pictures for LDAP users

---
 lib/letter-avatars.js | 23 +++++++++++++++++++++++
 lib/models/user.js    | 11 +++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 lib/letter-avatars.js

(limited to 'lib')

diff --git a/lib/letter-avatars.js b/lib/letter-avatars.js
new file mode 100644
index 00000000..e4d4f840
--- /dev/null
+++ b/lib/letter-avatars.js
@@ -0,0 +1,23 @@
+"use strict";
+
+// external modules
+var seedrandom = require('seedrandom');
+
+// core
+module.exports = function(name) {
+    var colors = ["#5A8770", "#B2B7BB", "#6FA9AB", "#F5AF29", "#0088B9", "#F18636", "#D93A37", "#A6B12E", "#5C9BBC", "#F5888D", "#9A89B5", "#407887", "#9A89B5", "#5A8770", "#D33F33", "#A2B01F", "#F0B126", "#0087BF", "#F18636", "#0087BF", "#B2B7BB", "#72ACAE", "#9C8AB4", "#5A8770", "#EEB424", "#407887"];
+    var color = colors[Math.floor(seedrandom(name)() * colors.length)];
+    var letter = name.substring(0, 1).toUpperCase();
+
+    var svg = '<?xml version="1.0" encoding="UTF-8" standalone="no"?>';
+    svg += '<svg xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns="http://www.w3.org/2000/svg" height="96" width="96" version="1.1" viewBox="0 0 96 96">';
+    svg += '<g>';
+    svg += '<rect width="96" height="96" fill="' + color + '" />';
+    svg += '<text font-size="64px" font-family="sans-serif" text-anchor="middle" fill="#ffffff">';
+    svg += '<tspan x="48" y="72" stroke-width=".26458px" fill="#ffffff">' + letter + '</tspan>';
+    svg += '</text>';
+    svg += '</g>';
+    svg += '</svg>';
+
+    return 'data:image/svg+xml;base64,' + new Buffer(svg).toString('base64');
+};
diff --git a/lib/models/user.js b/lib/models/user.js
index aaf344de..7d27242c 100644
--- a/lib/models/user.js
+++ b/lib/models/user.js
@@ -7,6 +7,7 @@ var scrypt = require('scrypt');
 
 // core
 var logger = require("../logger.js");
+var letterAvatars = require('../letter-avatars.js');
 
 module.exports = function (sequelize, DataTypes) {
     var User = sequelize.define("User", {
@@ -105,6 +106,16 @@ module.exports = function (sequelize, DataTypes) {
                     case "google":
                         photo = profile.photos[0].value.replace(/(\?sz=)\d*$/i, '$196');
                         break;
+                    case "ldap":
+                        //no image api provided,
+                        //use gravatar if email exists,
+                        //otherwise generate a letter avatar
+                        if (profile.emails[0]) {
+                            photo = 'https://www.gravatar.com/avatar/' + md5(profile.emails[0]) + '?s=96';
+                        } else {
+                            photo = letterAvatars(profile.username);
+                        }
+                        break;
                 }
                 return photo;
             },
-- 
cgit v1.2.3


From b044c2ae19e1cacf81524dad15739ea61f4479cb Mon Sep 17 00:00:00 2001
From: alecdwm
Date: Fri, 6 Jan 2017 07:06:58 +0100
Subject: Use randomcolor not seedrandom for avatar backgrounds

---
 lib/letter-avatars.js | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

(limited to 'lib')

diff --git a/lib/letter-avatars.js b/lib/letter-avatars.js
index e4d4f840..437e3e76 100644
--- a/lib/letter-avatars.js
+++ b/lib/letter-avatars.js
@@ -1,12 +1,11 @@
 "use strict";
 
 // external modules
-var seedrandom = require('seedrandom');
+var randomcolor = require('randomcolor');
 
 // core
 module.exports = function(name) {
-    var colors = ["#5A8770", "#B2B7BB", "#6FA9AB", "#F5AF29", "#0088B9", "#F18636", "#D93A37", "#A6B12E", "#5C9BBC", "#F5888D", "#9A89B5", "#407887", "#9A89B5", "#5A8770", "#D33F33", "#A2B01F", "#F0B126", "#0087BF", "#F18636", "#0087BF", "#B2B7BB", "#72ACAE", "#9C8AB4", "#5A8770", "#EEB424", "#407887"];
-    var color = colors[Math.floor(seedrandom(name)() * colors.length)];
+    var color = randomcolor({seed: name});
     var letter = name.substring(0, 1).toUpperCase();
 
     var svg = '<?xml version="1.0" encoding="UTF-8" standalone="no"?>';
-- 
cgit v1.2.3


From e4fe93249f2af24b113573825aa66350b25e405e Mon Sep 17 00:00:00 2001
From: alecdwm
Date: Fri, 6 Jan 2017 07:18:22 +0100
Subject: dark avatar backgrounds only

---
 lib/letter-avatars.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/letter-avatars.js b/lib/letter-avatars.js
index 437e3e76..767a2efd 100644
--- a/lib/letter-avatars.js
+++ b/lib/letter-avatars.js
@@ -5,7 +5,10 @@ var randomcolor = require('randomcolor');
 
 // core
 module.exports = function(name) {
-    var color = randomcolor({seed: name});
+    var color = randomcolor({
+        seed: name,
+        luminosity: 'dark',
+    });
     var letter = name.substring(0, 1).toUpperCase();
 
     var svg = '<?xml version="1.0" encoding="UTF-8" standalone="no"?>';
-- 
cgit v1.2.3


From 94abfaba7c5b7655eda3d6547144adfa26c90a5f Mon Sep 17 00:00:00 2001
From: alecdwm
Date: Fri, 6 Jan 2017 07:21:59 +0100
Subject: removed comma

---
 lib/letter-avatars.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/letter-avatars.js b/lib/letter-avatars.js
index 767a2efd..3afa03fe 100644
--- a/lib/letter-avatars.js
+++ b/lib/letter-avatars.js
@@ -7,7 +7,7 @@ var randomcolor = require('randomcolor');
 module.exports = function(name) {
     var color = randomcolor({
         seed: name,
-        luminosity: 'dark',
+        luminosity: 'dark'
     });
     var letter = name.substring(0, 1).toUpperCase();
 
-- 
cgit v1.2.3